简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
安全 - Linux的audit.log日志审计
天蓬老师
天蓬老师 2017-04-17 16:37:08
0
3
1350

我在阿里云买了一台主机,然后最近发现数据库被删了.查看audit.log时候发现一些可疑IP的ssh远程登录.例如下面这些信息,是否可以断定被黑客入侵了.

type=USER_LOGIN msg=audit(1483695199.639:6342): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=login acct=xxxxxxx exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695199.643:6343): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=? acct="?" exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695201.437:6344): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695201.749:6345): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=? acct="?" exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695204.151:6346): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695204.464:6347): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=? acct="?" exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
type=USER_AUTH msg=audit(1483695205.943:6348): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1483695206.255:6349): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=session fp=? direction=both spid=xxxxxxx suid=xxxxxxx rport=xxx laddr=xxxxxxx lport=22  exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1483695206.256:6350): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=server fp=xxxxxxx direction=? spid=xxxxxxx suid=0  exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1483695206.256:6351): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=server fp=xxxxxxx direction=? spid=xxxxxxx suid=0  exe="/usr/sbin/sshd" hostname=? addr=xxxxxxx terminal=? res=success'
天蓬老师
天蓬老师

欢迎选择我的课程,让我们一起见证您的进步~~

reply all(3)
phpcn_u3069
phpcn_u30692017-06-05 15:20:48 3 floor

Curious what does CRYPTO_KEY_USER mean? There are some very unfamiliar IPs in my logs, and the last one is success. Does it mean that I have been logged in?

Like +0
Add Reply
Peter_Zhu
Peter_Zhu2017-04-17 16:39:08 2 floor

It can basically be confirmed, and it should be entered into your machine through brute force

Nowadays, many hacker machines on the Internet blast the entire IP range 24 hours a day, scan for weak passwords and try to log in automatically, so try not to use weak passwords and limit the number of logins in a short period of time.

Like +0
Add Reply
伊谢尔伦
伊谢尔伦2017-04-17 16:39:08 1 floor

Consider ordinary users using public keys to log in, and prohibit password and root user login.

Like +0
Add Reply
Popular Topics
More>
Popular Articles
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!